Patch Tuesday: Three Security Bulletins, Two Critical

Microsoft released three security bulletins for Windows on Tuesday, its monthly date for patching security problems. Two of the security bulletins involve critical vulnerabilities that could allow an attacker to take complete control of a user's system over the Internet. The patches are especially important because both critical vulnerabilities had already been publicly disclosed.

The bulletins are Microsoft's first three for 2005, after posting 45 bulletins in 2004. In all, the bulletins from this week patch four discrete flaws.

Bulletin MS05-001 affects all supported versions of Windows, including Windows XP with Service Pack 2.

The flaw exists in the HTML Help ActiveX control in Windows. It can allow information disclosure or remote code execution. After it is applied, the patch may cause some Web-based applications to stop working properly. Individual Web sites that invoke the control must be enabled on a site-by-site basis.

While the flaw is critical for most platforms, it is rated as only moderate on Windows Server 2003.

Although Windows NT 4.0 is no longer supported by Microsoft as of Dec. 31, 2004 without a custom support contract, Microsoft did test the operating system and determined it was not vulnerable by default. However, users who have installed Internet Explorer 6.0 Service Pack 1 on Windows NT 4.0 are vulnerable. A separate patch is available to harden IE 6 SP1 against the flaw.

Bulletin MS05-002 affects all supported versions of Windows, except for Windows XP SP2. Microsoft also developed and is distributing freely a patch for Windows NT Server 4.0 and Windows NT Server 4.0 Terminal Server Edition, despite the end of extended support for NT 4 last year. (See related story).

The critical remote code execution vulnerability occurs because of a problem in cursor and icon formatting, and is critical for all affected platforms. The bulletin also includes a patch for a separate flaw in the Windows kernel that is rated as an important problem across the affected Windows platforms.

The third bulletin, MS05-003, involves a flaw in the Indexing Service that could allow remote code execution. Because the service is not enabled by default in the affected version of Windows, the vulnerability received an important rather than critical designation.

Versions of Windows that are vulnerable if the Indexing Service is turned on are Windows XP, Windows 2000 and Windows Server 2003. Windows XP SP2, Windows NT Server 4.0, Windows 98/98SE/ME are immune.